2008-10-06 Update: I did eventually get an e-mail notice sent to the e-mail associated with the account about 6 hours after I reset my password.It still looks to me like the account can be hijacked, and the password restrictions and suggested examples are pathetic.
Account claiming is an interesting problem. The tradeoffs necessary to balance ease of use, security and help desk call volume are non-trivial.
2008-10-05 9:59 PM:
I'm a bit disappointed how easy it was to recover online access to my American Express account.
- Enter the card number
- Enter the four digit card ID number on the front of the card
- Enter my mothers maiden name
"spaces or special characters (e.g., &, >, *, $, @)"
That makes choosing a password tough. My normal &mex$uck$ password will not work. But fortunately for me, the help screens on picking a new password contain useful examples:
Examples of a valid password are: snowman4, 810main, and year2k."
Never mind that whole dictionary thing. Nobody will ever guess a password like 'year2k'.The Amex account is set up to send me an SMS alert for any 'Irregular Account Activity'. I did not get an SMS, even though on line recovery of both userid and password would certainly be worth an SMS in my book.
There are better ways of doing this. They could have asked me for some secret number that only exists on my last statement, or information on recent card activity, or perhaps like my health care provider, the account reset could generate a letter with a token, sent to my home address via good old fashioned postal mail.